By 
Netgear, D-Link, and Huawei routers are aggressively being investigated for weak Telnet passwords and taken over by a new peer-to-peer (P2P) botnet called Mozi and regarding the Gafgyt malware as it reprocesses some of its code.
Security researchers at 360 Netlab who revealed it and checked its activities for roughly four months also discovered that the botnet’s major objective is to be used in DDoS attacks.
The botnet is executed using a custom extended Distributed Hash Table (DHT) protocol on the basis of the standard one generally used by torrent clients and other P2P platforms to store node contact information.
This makes it quicker to found the botnet’s network without the need to use servers, as well as easier to “hide the valid payload in the vast amount of normal DHT traffic so detection is impossible without proper knowledge,” as 360 Netlab discovered.
Mozi also uses ECDSA384 and the XOR algorithm to guarantee the veracity and safety of the botnet’s components and the P2P network.
The malware uses telnet and exploits for spread to new susceptible devices by logging in to any targeted router or CCTV DVR that comes with a weak password, tumbling and performing a payload after effectively exploiting unpatched hosts.
Once the malware is loaded on the now compromised device, the newly triggered bot will mechanically join the Mozi P2P network as a new node.
The next stage of the infection realizes the new bot nodes getting and performing commands from the botnet master, while also probing for and polluting other vulnerable Netgear, D-Link, and Huawei routers to add to the botnet.
“After Mozi establishes the p2p network through the DHT protocol, the config file is synchronized, and the corresponding tasks are started according to the instructions in the config file,” the researchers explain.
To ensure that their botnet is not taken over by other threat actors, Mozi’s workers set it up to mechanically confirm all commands and synced configs sent to the botnet’s nodes, with only the ones passing these built-in checks being to be accepted and executed by the nodes.
